Bradley Panton, John Colombi, Michael Grimaila, Robert Mills
2013 unpublished
Every year, the DoD upgrades their information technology systems, allows new applications to connect to the network, and reconfigures the Enterprise to gain efficiencies. While these actions are to better support the warfighter and satisfy national security interests, they introduce new system vulnerabilities waiting to be exploited. This article recommends the DoD enter the vulnerability marketplace to mitigate the risk of a cyber attack using these undiscovered vul-nerabilities. Through use
more » ... f the vulnerability market, DoD will ensure information security is built into the application, minimize the number of distributed patches, and optimize investment in defense programs. Secure DoD Software Considerations for the Vulnerability Market lengths to test the security of a product. Through developmental and operational test and evaluation, penetration testing, and the comprehensive information assurance certification and accredi-tation Process, the DoD seeks to identify and mitigate the risk of a possible cyber attacks resulting in the loss of money and life. These tests, coupled with the bolted on defense-in-depth strategy, have one critical shortfall; none of them analyze the system for undiscovered or obscure vulnerabilities. The vulnerability disclosure lifecycle of a system typically consists of three common phases: learning, linear, and saturation [1], as shown in Figure 1. These phases are important as vulnerability discovery rates increase and decrease over time as the system passes through each window. The learning phase occurs immediately after the system is released to the public. During this phase, researchers and hackers become familiar with the system and gain better knowledge on how to break it. As a result of this lack of system knowledge, the vulnerability discovery rate during this phase tends to be low. Following the learning phase, the linear phase is characterized by a linear growth of vulnerabilities discovered by users. This explosion of discoveries is due to the system gaining market penetration and an increase in system familiarity. Once the system reaches obsolescence or as the number of undiscovered vulnerabilities diminishes, the vulnerability rate reduces as more users convert to a replacement and hackers lose interest. During this time the system is experiencing the saturation phase.